CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Ter�s]

Module Name:    src
Committed By:   tteras
Date:           Tue Sep  1 09:50:00 UTC 2009

Modified Files:
        src/crypto/dist/ipsec-tools/src/racoon: remoteconf.c

Log Message:
Change remote conf matching level to matching score. This way one can
override anonymous certificate block config with more exact "inhereted"
IP specific block.


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 \
    src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.17 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.18
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.17	Wed Aug 19 13:54:07 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c	Tue Sep  1 09:49:59 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: remoteconf.c,v 1.17 2009/08/19 13:54:07 vanhu Exp $	*/
+/*	$NetBSD: remoteconf.c,v 1.18 2009/09/01 09:49:59 tteras Exp $	*/
 
 /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
 
@@ -183,12 +183,12 @@
 }
 
 enum rmconf_match_t {
-	MATCH_NONE = 0,
-	MATCH_ANONYMOUS,
-	MATCH_ADDRESS,
-	MATCH_SA,
-	MATCH_IDENTITY,
-	MATCH_AUTH_IDENTITY,
+	MATCH_NONE		= 0,
+	MATCH_BASIC		= 0x0000001,
+	MATCH_ADDRESS		= 0x0000002,
+	MATCH_SA		= 0x0000004,
+	MATCH_IDENTITY		= 0x0000008,
+	MATCH_AUTH_IDENTITY	= 0x0000010,
 };
 
 static int
@@ -196,7 +196,7 @@
 	struct rmconfselector *rmsel;
 	struct remoteconf *rmconf;
 {
-	int ret = 1;
+	int ret = MATCH_NONE;
 
 	/* No match at all: unwanted anonymous */
 	if ((rmsel->flags & GETRMCONF_F_NO_ANONYMOUS) &&
@@ -206,6 +206,8 @@
 	if ((rmsel->flags & GETRMCONF_F_NO_PASSIVE) && rmconf->passive)
 		return MATCH_NONE;
 
+	ret |= MATCH_BASIC;
+
 	/* Check address */
 	if (rmsel->remote != NULL) {
 		if (rmconf->remote->sa_family != AF_UNSPEC) {
@@ -213,7 +215,7 @@
 				return MATCH_NONE;
 
 			/* Address matched */
-			ret = MATCH_ADDRESS;
+			ret |= MATCH_ADDRESS;
 		}
 	}
 
@@ -222,14 +224,14 @@
 		if (rmconf_match_etype_and_approval(rmconf, rmsel->etype,
 						    rmsel->approval) != 0)
 			return MATCH_NONE;
-		ret = MATCH_SA;
+		ret |= MATCH_SA;
 	}
 
 	/* Check identity */
 	if (rmsel->identity != NULL && rmconf->verify_identifier) {
 		if (rmconf_match_identity(rmconf, rmsel->identity) != 0)
 			return MATCH_NONE;
-		ret = MATCH_IDENTITY;
+		ret |= MATCH_IDENTITY;
 	}
 
 	/* Check certificate request */
@@ -254,7 +256,7 @@
 				return MATCH_NONE;
 		}
 
-		ret = MATCH_AUTH_IDENTITY;
+		ret |= MATCH_AUTH_IDENTITY;
 	}
 
 	return ret;
@@ -284,7 +286,7 @@
 
 	RACOON_TAILQ_FOREACH_REVERSE(p, &rmtree, _rmtree, chain) {
 		if (rmsel != NULL) {
-			if (rmconf_match_type(rmsel, p) == 0)
+			if (rmconf_match_type(rmsel, p) == MATCH_NONE)
 				continue;
 		}
 
@@ -324,11 +326,7 @@
 			return 0;
 
 		if (match_type == fctx->match_type) {
-			/* Duplicate exact match, something is wrong */
-			if (match_type >= MATCH_AUTH_IDENTITY)
-				return 1;
-
-			/* Otherwise just remember that this is ambiguous match */
+			/* Ambiguous match */
 			fctx->num_found++;
 			return 0;
 		}